Skip Menu |
 

Subject: Use getrandom system call on recent Linux kernels
Recent Linux kernels provide a getrandom system call which can have better
behavior than reading from /dev/urandom--it can block when the kernel PRNG
is unseeded, but not when the kernel thinks the acquired entropy pool is
depleted. Using a system call is also more efficient and requires less
from a chroot environment than reading from a device. Unfortunately, glibc
does not currently provide a binding to the new system call, so we need to
use syscall() to access it.

As part of this work, we will rename prng_os.c to prng_device.c, and create
a new prng_os.c which does not burn a file descriptor. Downstream
integrators who do not want the user-space Fortuna PRNG can choose
prng_os.c for platforms which use a getrandom system call, and
prng_device.c for platforms which do not.
From: ghudson@mit.edu
Subject: git commit

Don't feed OS RNG output into the OS RNG

krb5_c_random_os_entropy() now must be provided by PRNG modules.

https://github.com/krb5/krb5/commit/0bbbc2bd3a42cfbd9e6eb34c273da8aaa077c29f
Author: Robbie Harwood <rharwood@redhat.com>
Committer: Greg Hudson <ghudson@mit.edu>
Commit: 0bbbc2bd3a42cfbd9e6eb34c273da8aaa077c29f
Branch: master
src/lib/crypto/krb/crypto_int.h | 3 +-
src/lib/crypto/krb/prng.c | 60 ++++--------------------------------
src/lib/crypto/krb/prng_fortuna.c | 26 +++++++++++++++-
src/lib/crypto/krb/prng_os.c | 6 ++++
4 files changed, 40 insertions(+), 55 deletions(-)
From: ghudson@mit.edu
Subject: git commit

Rename prng_os.c to prng_device.c

https://github.com/krb5/krb5/commit/5e54525fbe40d56f44368e216c92938403cad96d
Author: Robbie Harwood <rharwood@redhat.com>
Committer: Greg Hudson <ghudson@mit.edu>
Commit: 5e54525fbe40d56f44368e216c92938403cad96d
Branch: master
src/lib/crypto/krb/{prng_os.c => prng_device.c} | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
From: ghudson@mit.edu
Subject: git commit

Add getrandom to k5_get_os_entropy() using syscall

https://github.com/krb5/krb5/commit/a9a48392c088b53d8dd86b8008b4059ab78a3679
Author: Robbie Harwood <rharwood@redhat.com>
Committer: Greg Hudson <ghudson@mit.edu>
Commit: a9a48392c088b53d8dd86b8008b4059ab78a3679
Branch: master
src/lib/crypto/krb/prng.c | 30 ++++++++++++++++++++++++++++++
1 files changed, 30 insertions(+), 0 deletions(-)
From: ghudson@mit.edu
Subject: git commit

Add OS prng intended for use with getrandom()

Add the prng_os.c module, using the name previously occupied by what
is now prng_device.c. Unlike prng_device.c, this PRNG module
maintains no file descriptor and just uses k5_os_random(), which is
most efficient on platforms which have a getrandom() system call.

[ghudson@mit.edu: expanded on commit message]

https://github.com/krb5/krb5/commit/0be7642b2b6f7b9e0acebb2c3d60aa6c3f7543aa
Author: Robbie Harwood <rharwood@redhat.com>
Committer: Greg Hudson <ghudson@mit.edu>
Commit: 0be7642b2b6f7b9e0acebb2c3d60aa6c3f7543aa
Branch: master
src/lib/crypto/krb/prng_os.c | 72 ++++++++++++++++++++++++++++++++++++++++++
1 files changed, 72 insertions(+), 0 deletions(-)